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(54) Title: A LOG-ON VERIFICATION PROTOCOL 
(57) Abstract 

A method and apparatus for authenticating a pair 
of correspondents C, S to permit exchange of informa- 
tion therebetween in an information exchange session. 
The correspondent C having log on applets and the cor- 
respondent having means for processing applets. The 
method comprising the steps of: the first correspon- 
dent C transmitting to the second correspondent S a first 
unique information, the second correspondent S verify- 
ing the identity of C and generating a second unique in- 
formation; transmitting to C the first and second unique 
information; the C verifying the first unique informa- 
tion to thereby establish currency of the session; the 
first correspondent C then generating a third unique in- 
formation and transmitting the third unique information 
to the S along with an information request; the second 
correspondent S transmitting to C the requested infor- 
mation along with said second and third unique infor- 
mation; said C verifying said third unique information 
to thereby establish currency of the request and verify- 
ing the second unique information to thereby establish 
currency of the session; said C repeating steps the above 
steps for each additional information requested by C. 
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A LOG-ON VERIFICATION PROTOCOL 

This invention relates to a protocol for the secure receipt and transmission of 
data between a pair of correspondents and in particular for the secure receipt of data 
5 by a client in a client-server environment. 

BACKGROUND OF THE INVENTION 

With the advent of the Internet and the proliferation of Internet users along 
with the dramatic increase in data baud rates, there has been a move to distributed 

1 0 computing. For example, in the windows environment, a browser may be used to 
access a website and download a HTML page. Within the page might be included a 
program applet much like an image that is contained within the page. The applet's 
code is transferred from the server to the client system and executed by the client's 
computer. There are also instances where software or program applets are provided 

1 5 from a server to a client. 

In the cases where the client does not trust the server a protocol has to be 
implemented whereby the client is able to authenticate the server. Or more generally 
where the client does not know the server since the server will serve any client, i.e. 
any requester is potentially valid as far as the client is concerned. Furthermore the 

20 applets received from the server include in some instances a log-on applet received 
from the server. Thus there exists a need for a log-on applet authentication protocol. 

SUMMARY OF THE INVENTION 

This invention seeks to provide a solution to the problem of server verification 
25 by a client. 

According to an aspect of this invention there is provided a method of 
authenticating pair of correspondents C, S to permit exchange of information there 
between in an information exchange session, the method comprising the steps of: 

a) the first correspondent C transmitting to the second correspondent S a first 
30 unique information, 

b) the second correspondent S verifying the identity of C and generating a 
second unique information; 

1 
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c) transmitting to C the first and second unique information; 

d) the C verifying the first unique information to thereby establish currency of 
the session; 

e) the first correspondent C then generating a third unique information and 

5 transmitting the third unique information to the S along with an information request; 

f) the second correspondent S transmitting to C the requested information 
along with said second and third unique information; 

g) said c verifying said third unique information to thereby establish currency 
of the request and verifying the second unique information to thereby establish 

1 0 currency of the session; 

h) said C repeating steps e) to g) for each additional information requested by 

C. 

Also, this aspect of the invention provides for apparatus for carrying out the 
method. Such an apparatus can comprise any computational apparatus such as a 
1 5 suitably programmed computer. 



BRIEF DESCRIPTION OF THE DRAWINGS 

These and other advantages of the present invention will become more 
20 apparent from the following discussion of preferred embodiments of the invention 
which are described by way of example only and with reference to the accompanying 
drawings in which like elements have been assigned like reference numerals and 
wherein: 

Figure 1 is a schematic diagram of a client server configuration; 
25 Figure 2 is a schematic diagram showing server authentication; and 
Figure 3 is a schematic diagram showing applet authentication. 



DETAILED DESCRIPTION OF A PREFERRED EMBODIMENT 
30 Referring to figure 1 , a typical arrangement in which the protocol may be 

implemented is shown generally numeral 10. A client 12 includes a hardware token 
1 4 and connects via a suitable communication channel 1 6 to a server 18. The 



2 



SUBSTITUTE SHEET (RULE 26) 



WO 98/51037 PCT/CA98/00417 

hardware token 14 may be PIN activated and includes a root certifying authority (CA) 
public key, PUca, a client private key, PRo.and an ECDSA signing software. It may 
be noted that the hardware token may also be mimicked or implemented in software. 
In addition to the hardware token the client has stored therein an identification 
5 of the client, ID C , wherein some cases the ID could be the certificate of the client 
containing the public key PU C of the client. Alternatively the certificate may contain 
only the identity ID C of the client. This identity may then be used as an index into a 
look-up table of public keys stored in the server. Additionally, the client includes a 
hash function such as SHA-1, an elliptic curve DSA (ECDSA) verification software, 
1 0 and optionally MQV key exchange algorithm software and a DES or TDES 

encryption algorithms which are used to encrypt and/or authenticate applets from the 
server. 

The server includes log-on applets, crypto software and other applets. The 
server also includes a private key PR S and a certificate CERT S which includes its 

1 5 public key PUs. Optionally the server may also include a database of client public 
keys indexed by a client identification. 

Referring now to figure 2, when the client 12 wishes to requests an applet 
from a server for the first time, the client first authenticates the server by generating a 
random number x 100, preferably on the hardware token 14. A counter or a time 

20 stamp or the like may generate the value x. A hash H on the concatenation of the 
client identification ID C , the root public key and x is computed 102. A signature s of 
the hash H is calculated using the client private key PRc 103. The client then sends a 
request 104 containing ID C , PU C a» x, s to the server 18. The client to indicate the 
currency of the transaction or session uses the value x, 

25 The server then checks that root certifying authority public key PUca is 

correct 1 12. The client public key PU C is either extracted 1 13 from the certificate or a 
lookup 1 13' is performed in the server database. The signature s is then verified 1 14 
using PUc- 

The server then generates a random number jy 1 16 and computes the hash H' 
30 1 1 8 on the concatenated message of the log of the applet, x, y and ID C . A signature s' 
on the hash H' is computed using the server private key PRs 120. A response 122 is 
sent to the client and includes the log-on applet,^, s' and the server's certificate 

3 
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CERTs. Once the client receives this information it verifies the validity of CERT$ 
124. The client also verifies x 125, which was sent back with the message from the 
server and thus indicating the currency of the session. The public key of the server 
PUs is extracted from the certificate 126 and used to verify the signature s' 127. This 

5 then verifies the server to the client. The value y is also extracted saved by the client 
1 29 to be used in later transactions. 

Turning to figure 3, once the client has verified the server it may then request 
an appropriate applet by first generating a random number z 210. A request 214 is 
then sent to the server which includes an identification of the appropriate applet 212 

1 0 and the random number z. The server then computes a hash H" on the concatenation 
of the applet, y y z and ID C 216. The server then computes a signature s" 21 8 on the 
hash H" using the private key of the server PRc . Both the applet and the signature s" 
are then sent to the client 220. The client verifies the signature 222 using the server 
public key and once verified may safely use the applet. The value y is also verified 

1 5 223 to establish currency of the session Th value z is also checked 224o make sure it 
is current. If the client requires more applets, steps 210 to 224 are repeated for a 
given session. When a new session is resumed the client may re-authenticate the 
server as set out in figure 2. 

While the invention has been described in connection with a specific 

20 embodiment thereof and in a specific use, various modifications thereof will occur to 
those skilled in the art without departing from the spirit of the invention. 

The terms and expressions which have been employed in the specification are 
used as terms of description and not of limitations, there is no intention in the use of 
such terms and expressions to exclude any equivalents of the features shown and 

25 described or portions thereof, but it is recognized that various modifications are 
possible within the scope of the invention. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE 
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A method of authenticating pair of correspondents C, S to permit 



session, the method comprising the steps of: 

a) the first correspondent C transmitting to the second correspondent S a first 
unique information, 

b) the second correspondent S verifying the identity of C and generating a 
1 0 second unique information; 

c) transmitting to C the first and second unique information; 

d) the C verifying the first unique information to thereby establish currency of 
the session; 

e) the first correspondent C then generating a third unique information and 

1 5 transmitting the third unique information to the S along with an information request; 

f) the second correspondent S transmitting to C the requested information 
along with said second and third unique information; 

g) said c verifying said third unique information to thereby establish currency 
of the request and verifying the second unique information to thereby establish 

20 currency of the session; 

h) said C repeating steps e) to g) for each additional information requested by 

C. 

2. A method as defined in claim 1 , said unique information being a 



5 



exchange of information therebetween in an information exchange 



random number x. 



25 



A method as defined in claim 2, said correspondent C including a 
hardware token for generating said random number. 



30 



4. A data communication system for providing exchange of authenticated 
information between a pair of correspondents C, S in an information 
exchange session, said system comprising: 



a) said first correspondent C including a hardware token having a 



35 



public key, a private key and ECDSA program; said program for 
i) transmitting to the second correspondent S a first unique 
information, 
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ii) the second correspondent S verifying the identity of C and 
generating a second unique information; 

iii) transmitting to C the first and second unique information; 

iv) the correspondent C verifying the first unique information to 
5 thereby establish currency of the session; 

v) the first correspondent C then generating a third unique information 
and transmitting the third unique information to the S along with an 
information request; 

vi) the second correspondent S transmitting to C the requested 
1 0 information along with said second and third unique information; 

vii) said correspondent c verifying said third unique information to 
thereby establish currency of the request and verifying the second unique 
information to thereby establish currency of the session; 

viii said C repeating steps v) to vii) for each additional information requested 

15 byC. 

5. A system for authenticating pair of correspondents C, S to permit 
exchange of information therebetween in an information exchange session, the system 
comprising: 

20 a) means for transmitting by the first correspondent C to the second 

correspondent S a first unique information, 

b) means for verifying the identity of C by the second correspondent S and 
generating a second unique information; 

c) means for transmitting to C the first and second unique information; 
25 d) means for verifying the first unique information by the C to thereby 

establish currency of the session; 

e) means for generating a third unique information and transmitting the third 
unique information to the S along with an information request; 

f) means for transmitting to C the requested information along with said 
30 second and third unique information; 
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g) means for verifying said third unique information to thereby establish 
currency of the request and verifying the second unique information to thereby 
establish currency of the session; 

h) means for successively requesting additional information by said 
5 correspondent C. 
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